ZITADEL•16mo ago

End session endpoint logs out other accounts even though id_token_hint is provided

I am logged in as devaccount and saved the

id_token

id_token

id_token

id_token from the token_endpoint in the session. During logout, I am invalidating session and redirecting the user to the zitadel's end session endpoint.

 $query = [
   'id_token_hint' => $idToken, // It is retrieved from the id_token from the zitadel token response
   'client_id' => $zitadelAppClientID,
   'post_logout_redirect_uri' => $postRedirectUri,
   'state' => Str::random(20)
];

header('Location: ' . $zitadelBaseUrl . '/oidc/v1/end_session?' . http_build_query($query));

 $query = [
   'id_token_hint' => $idToken, // It is retrieved from the id_token from the zitadel token response
   'client_id' => $zitadelAppClientID,
   'post_logout_redirect_uri' => $postRedirectUri,
   'state' => Str::random(20)
];

header('Location: ' . $zitadelBaseUrl . '/oidc/v1/end_session?' . http_build_query($query));

 $query = [
   'id_token_hint' => $idToken, // It is retrieved from the id_token from the zitadel token response
   'client_id' => $zitadelAppClientID,
   'post_logout_redirect_uri' => $postRedirectUri,
   'state' => Str::random(20)
];

header('Location: ' . $zitadelBaseUrl . '/oidc/v1/end_session?' . http_build_query($query));

 $query = [
   'id_token_hint' => $idToken, // It is retrieved from the id_token from the zitadel token response
   'client_id' => $zitadelAppClientID,
   'post_logout_redirect_uri' => $postRedirectUri,
   'state' => Str::random(20)
];

header('Location: ' . $zitadelBaseUrl . '/oidc/v1/end_session?' . http_build_query($query));

Based on the documentation it should logout only the last user and keep other two logged in.

ZITADEL Docs

OpenID Connect 1.0 Discovery

No replies yetBe the first to reply to this messageJoin

End session endpoint logs out other accounts even though id_token_hint is provided

Similar Threads

Similar Threads

Similar Threads